Robust and Efficient Sifting-Less Quantum Key Distribution Protocols 
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We show that replacing the usual sifting step of the standard quantum-key-distribution proto- 
col BB84 |1] by a one-way reverse reconciliation procedure increases its robustness against photon- 
number-splitting (pns) attacks to the level of the SARG04 protocol [2, 3] while keeping the raw key-rate 
of BB84. This protocol, which uses the same state and detection than BB84, is the m = 4 member of 
a protocol-family using m polarization states which we introduce here. We show that the robustness 
of these protocols against pns attacks increases exponentially with m, and that the effective keyrate of 
optimized weak coherent pulses decreases with the transmission T like T 1+ ^ . 

PACS numbers: 03.67.Ac, 03.67.Dd, 03.67.Hk 



Over the last 25 years, quantum key distribution 
(QKD) has emerged as the main application of quan- 
tum information. In most experimental realizations [4], 
the legitimate partners — traditionally named Alice and 
Bob — use the BB84 protocol |l|] with weak-coherent- 
pulses (wcp), i.e. Alice sends polarized coherent states 
to Bob, and Bob measures their polarization to obtain 
the raw-key. Alice and Bob then post-select a subset of 
the measurement to obtain the sifted-key from which 
the cryptographic key is extracted. If Alice sends perfect 
single-photons, there is no way for an eavesdropper — 
traditionally named Eve — to learn anything about the 
sifted key without introducing errors. But, with wcps, 
Alice only approximates single-photon, and she some- 
times sends multiphoton pulses, on which Eve can get all 
the information through photon-number-splitting (pns) 
attack d. SARG04 j£ |1 showed that, with the same 
modulation and detection than BB84, one can construct 
a protocol more robust against pns, since Eve only gains 
partial information from 2 photons pulse and needs 
to wait for the rarer 3 photons pulses to gain the full 
information. However, for the same pulse intensity, 
SARG04's rate is the half of BB84 at low losses, because 
of the lower rate of it sifting. As shown in |0] SARG04's 
robustness can be increased by using m polarizations in- 
stead of 4, at the price of a lower sifting rate oc m~ 3 . This 
article shows that this price is not necessary, and that it 
is possible to have the best of both protocols, i.e. BB84's 
rate and SARG04's robustness against photon number- 
splitting attacks. 

BB84 and SARG04 are sifting based protocols i.e. pro- 
tocols where a part of the data is "sifted away" because 
Alice's state and Bob's measurement are not in the "same 
basis". We will look here at sif ting-less protocols, i.e. 
protocols where this discussion is absent, and therefore, 
where the "wrong-basis" data are kept in the raw-key. 

Protocol description. Alice randomly choses one lin- 
ear polarization and sends the corresponding phase- 
randomized weak coherent pulse (wcp). Let m > 3 
the total number of possible polarizations. To simplify 
the analysis, we will suppose that the polarizations are 



uniformly distributed along a great circle of Poincare's 
sphere. Let |0) and |1) be the state of two orthogonally 
polarized single photons. If the pulse contains n photon, 
Alice sends the state \x,n,m) := \xd m ) m with d m :=^, x 

uniformly chosen in [0, m - 1], and \6) :=4= (|0> + e ie 

If m = 4, one has the 4 states used in BB84, SARG04 as 

well as LG09 @]. 

Bob measures the polarization of the pulses after a 
propagation into a channel of transmission T. The pub- 
lic comparison of a small subset of the measurements 
allows Alice and Bob to statistically determine the char- 
acteristic of the channel, namely T and its qubit error 
rate (qber). In this first analysis, we will suppose this 
statistical evaluation to be exact, neglecting the finite 
size effects [7]. We will also limit ourselves to the error- 
less case, where the qber is 0, excepted in the conclusion 
where the influence of errors is briefly studied. 

There are several possibilities for Bob's measurement. 
We will limit Bob's apparatus to single-photon detector 
based set-ups, similar to the one used in the BB84 and 
SARG04 protocols. This will prevent Alice and Bob to 
extract all the information allowed by the Holevo bound 
S(X: Y) = T log 2, or to use continuous-variable detection 
set-up @]. 

Since Bob's measurement is based on single photon 
detectors, Alice and Bob need to postselect-away the 
event when Bob has received no photon i.e. when Bob's 
detectors do not click. This can be done by one-way 
classical communication from Bob to Alice. The kept 
events constitute a fraction 1 - e~ Tf ' Tp. of the sent 
pulses if the sent wcp have a mean photon number of \i. 
They constitute the raw key, X for Alice and Y for Bob. 

When Bob receives a single photon, he makes the 

povm (m \y d '» + n ) (y°™ + n \} ye io, m -ir The 71 de P hasin § 

doesn't change anything if m is even, but increases the 
mutual information S(X: Y) between Alice and Bob when 
m is odd. In particular, it ensures that, for any state sent 
by Alice, one outcome (y = x) of Bob's measurement is 
impossible. One can then easily show S(Y) = logm; 

f>(y|x,m) = i(l-cos(y-3c)0 m ); (1) 
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- m-l 

S(Y\X) = logm - - - cosJfc0 m )log(l - coskd m ); 

m k=0 



S(X:Y) 



m-l 
*:=0 



(2) 



cosk6 m ) log(l - cos kd m ). (3) 



The mutual information between Alice and Bob S(X:Y\m) 
decreases slightly with m, from log | = 0.5850 bits for 
m = 3 to i J"(l - cosfc0)log(l - coskd)dd = 0.4427 bits 
in the continuous limit m — > oo. For m = 4, we have 
S(X:Y|m = 4) = ±log2. 

When Bob receives more than one photon, several de- 
tectors can click. This gives him more information than 
single clicks, so neglecting this case , as done above, is 
pessimistic. This corresponds to Bob randomly chosing 
between the various detection results. 

In a reverse reconciliation (rr) scheme iH 0], Alice 
and Bob can share a common key of length S(X:Y) pro- 
vided Bob sends to Alice S(Y|X) bits of information. For 
example, when m — 4, Bob needs to send 1.5 bits per 
pulse. This can be done by revealing his measurement 
basis (1 bit/pulse) and using the syndrome of a good era- 
sure correcting (see e.g. llOl Chapter 50]) code which 
will be slightly over = bit long per pulse. Indeed, when 
Bob has revealed his basis measurements, Alice knows 
which bits of Y she knows (the one with the right basis), 
and the one she does not know (the other ones), and this 
corresponds to an erasure channel of rate | . 

Eavesdropping. Their use of erasure correcting codes 
instead of interactively throwing some bits away is at 
the heart of the resistance of this protocol against pns 
attacks : on 2-photon pulses, Eve can keep a copy of 
the pulse sent by Alice, and, even if she knows the basis 
of Bob's measurement, she ignores whether Alice sent a 
state in the right basis or not. Therefore, in this case, Eve 
measurement has at best a 25% error-rate, giving her at 
mostfr(|) = 0.1887bits of information — where h(-) is the 
binary entropy — while Alice still has half a bit. The net 
key rate of 2-photon pulses is then 0.3113 bits. In BB84, 
on the contrary, Alice reveals her basis choice, living her 
on equal footing with Eve for 2-photons pulses. 

Note that when m is even, the above idea for the recon- 
ciliation can be generalized i.e. Bob reveals log m - log 2 
bits for the basis y mod j and use the appropriate error 
correcting code for the remaining information. We are 
then in a situation where Alice has different known error 
rates 1(1 - cos(x - y mod j)6,„) for different bits while 
Eve only sees the average error rate. The following para- 
graphs will study the above affirmations more formally, 
in the asymptotic and error-less regime. 

Of course, if Alice sends perfect single photon pulses, 
the lack of errors guarantees a perfect secrecy of the 
S(X: Y) key. However, if Alice uses weak coherent pulses 
(wcp) some attacks become possible without introduc- 
ing errors, namely intercept resend with unambiguous state 



discrimination (irud) and photon number splitting attacks 
(pns), as well as a combination of the two. 

In any case, since Alice's pulses are phase randomized, 
Eve optimal attack starts by a quantum non-demolition 
measurement of the photon number n of Alice's pulse 
||5j]. The state sent by Alice is then projected onto 

\x r n, m) = \x6 m ) m = 2~* (|0> + e lxB <« \\)f n (4) 
= 2-'iY 4 ^ m "\b), (5) 

b=0 

where \b) is the tensorial binary development of b and 
\\b\\ its Hamming weight. Note that all terms with the 
same Hamming weight w modulo m have the same phase 
prefactor e"" 6 '" . These (^Li) vectors are orthogonal. We 
have defined 

E \w + dm]' ^ 

where we have used the usual convention for the bino- 
mial coefficient (") = for w > n. Let's define, for each 
we [0,m-l], 



\w[m]) n : 



1 



E 



(7) 



b=w[m] 



-\j(w[m]) 

We can then rewrite the state \x, n, m) as 

m-l 

\x, n, m) = 2-* £ e™ 9 ™ J(J^) \w[m]) n . (8) 



w=0 



When Eve measures n photons, she can either block 
the pulse, perform an irud attack or a pns attack. 

irud attacks. If Eve makes an irud attack, her success 
probability is given in [11] as 



P(A\m,n) = 2~"m min ( " ,)■ 
v 1 ' wmm-ll wlm] 



(9) 



This probability is not null iff n > m — 1, and its value 
increases each time n increases by 2. Its first nonzero 
value is 2~ m+l m for ne(m+l,m + 2). If Eves blocks a 
fraction b„ of the n-photon pulses, these can be a the ones 
where an unambiguous discrimination has failed. She 
can then resend with no error a fraction u„ of the original 
pulses as big as 



u„ = max ( i= ^fjf^ b„;l-b n ). (10) 

In other words, she can intercept and resend ^^2\nm) 
pulses for each pulse she blocks, without introducing 
any error. 

On remaining p„ = 1 - b„ - u n pulses, she can perform 
a pns attack, keeping n — 1 photons and transmitting the 
remaining one unperturbed to Bob. We have 



p„ - mmy x-<P(k\n,m) ' u j' 



(11) 
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One can construct a Markov chain Y <-> X — > 
\x,n- 1, m), and since the latter is the state held by Eve 
when she performs a pns attack, S(Y:E\n, pns) < S(Y : X). 
The inequality is strict because the last transition is 
not reversible. In other words, pns attacks without 
irud can never reduce the net RR-keyrate K n = S(Y : 
X) - S(Y:E\n, pns) to 0, contrarily to the BB84 protocol. 

The net key rate is when all transmitted pulses can 
be explained by irud attacks, i.e. when Vn,p„ = 0. Let 
T c be the critical transmission below which our protocol 
ceases to work. At T c , all the 1 - e °P — T c p transmitted 

..(J 

pulses correspond to the e~ f ' Y^n=o ^\"P(M n > m ) successful 
irud attacks. We have then 



-I In 



1 - 



n=0 



2-m- 



-1! (2) 



m-2 



(12) 

where the last approximation holds when fi « 1. We 
essentially have T c oc p"'~ z , showing the exponentially 
increasing robustness of the protocol for increasing m. 
This dependency is the same as SARG04, but not as BB84, 
where T c ~ j- 

pns attack. In order to compute the efficiency of the 
PNS-attack, one needs to compute the density matrices 
associated with n-photon pulses. The density matrix 
corresponding to the state defined in (O 



m— 1 



\x, n, m) (x, n,m\- 2 " ^ e" 



\iu-w')x9 



w,n/=0 



If n \ao'[m]\ 
n > 

x\w[m])(w'[m]\ (13) 



m—1 



- L 



JDx9„ 



M D , m ,„, (14) 
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FIG. 1: Key rates of the m-states protocols compared to m-state 
SARG04 and BB84 with wcps for p = 0.1 and m e [3,61. The 
vertical lines represent the values of T c given by l |12t . 
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FIG. 2: Key rates with optimized j.i for BB84, the m-states pro- 
tocol, m-state for m = 4 and m = 16. 



D=l-m 



where we have defined, for any integer D e J1-W2,W2-1|, 
the (shifted) mxm diagonal matrix 



m-l+min(0,D) 



M D , m ,„:=2-" £ ^Ct ] )( W+D n m] )\ w M)( w + D M\- 

7(?=min(0,D) 

(15) 

Let p ni „, be the average w-photon state sent by Alice. 
One has then 



m—1 



pn,m = m \ X ' H > m ) ( X > m l = M 0,m,«- 



(16) 



%=o 



When Bob measures Y — y, and Eve keeps n photons, 
her state conditioned on Bob's measurement is given by 



m-l 



Py,n,m = ^ m i 1 ~~ COS ( X ~~ V) 8 "') \ X > ") ( X > "I 



x=0 

lo 



Mn - ^(M m _i + M_i) - ^(M_ m+1 + Mi). 



(17) 

h). 
(18) 



Note that in the above equations, the indices m and n 
have been omitted for Md for the sake of simplification. 

The Holevo limit of the information Eve can gather on 
Bob's measurement through a collective pns attack is 



S(Y:E\n, pns):=S(E|«, pns) - S(E\Y, n, pns) (19) 
= S(p„-i, m ) - S(p V) „-i rm ). (20) 



These entropies are easily computed numerically and 
decrease slowly with n. 

They are independent of m iff n < m - 1, which means 
that the corresponding S(Y:E) will also be identical in this 
case. In other words, the information leaked to Eve in 
wz-state protocols are identical to the continuous m — > 00 
limit for «-photon pulses when n < m - 2, and the only 
difference at n - m - 1 comes from the irud attack. 
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Key-Rate. The net key rate K(T, y) for wcp with y pho- 
tons/pulse on average is therefore 

K(T,y) = Ye-> i !- T p n K n with K n :=S(X:Y) - (Y:£|n,PNs) 

H = l U ' 

(21) 

ii=l n=l 

When T > T c the optimal attack is for Eve to block the 
pulses with the biggest values of 1 _p^'|„ „,) ■ This corre- 
sponds only roughly to the pulses with the lowest pho- 
ton number. The corresponding rates for fixed y = 0.1 
are shown in figured] 

One can also numerically optimize y for each value of 
the transmission T, as shown in figure |2] If the optimal 
key rate is achieved close to T c , we have, for y <sc 1, 

K - K' m _ x {Ty - P(A\m - 1, m)gj) (23) 

with X' B l being the (m - l)th value of the x _^ n m) co- 
efficients in decreasing order. Optimizing this quantity 
for y is straightforward and gives 

^o P t- 2(2^21)^7^ (24) 

^K-rM^f 1 ^ (25) 

i.e. the key rate essentially varies as K oc T 1+ ^ with a 
pref actor which slowly decreases with m. This approx- 
imation seems in agreement with numerical results, at 
least for reasonably low m (below 16). The bigger m is, 
the closer one is to the ideal single-photon case, where 
K = |log2. 

Conclusion The sifting-less protocols described here 
are as efficient as BB84 and more robust against pns- 
attack.This robustness lies in the preservation of non- 
orthogonality of the sent-states by the lack of sifting. 

Furthermore, this also allows to extract a reason- 
able key for high m, while benefiting of the robustness 
brought by the increased overlap of the sent states, on 
the contrary to the m-state SARG04 variant, which while 
robust, have a sifting factor oc m~ 3 [3]. 

The most robust variant limit of this protocol is the 
limit of continuous phase modulation m — > co, which 
actually prevents the irud attack. It is straightforward 
to show that replacing the ffz-state povm used in the above 
description by the simpler 4-State povm used in standard 
BB84 does not change the key-rate in this limit. 

Before using this protocol, we still need to investigate 
its security in presence of a non-zero qber. For per- 
fect single photons and a qber e, one can bound Eve's 
information by writing the state shared by Alice, Bob 



and Eve under the form H \W ABE ) = VaT| ( I >+ > |Ei> + 
VA2 |E 2 ) + VAj |0 + > |E 3 >+ a/AI I*") and optimiz- 
ing Eve's Holevo information S(Y:E). One then straight- 
forwardly find S(Y:E\n = l,e) = h(e). For m = 4, we 
have S(X:Y) = |(log2 - h(e)), which gives a net key rate 
K = j(log2 - 3/j(e)), cancelling for a qber e = 6.14%. 
The expression is less elegant for other values of m, but 
the critical value of e does not change much, varying 
between 6.89% for m = 3 and 5.93% for m — » co. Of 
course, for a practical application of these protocols, the 
combination of qber and pns attacks still needs to be 
investigated, as well as finite-size effects |@]. 

Another direction worth investigating would be an 
unbalanced version of our protocol, similar to BB84 with 
biased basis choice [12], allowing to double the key rate 
to ~ 1 bit/pulse instead of ~ .5 in the low-loss regime. 
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